Custom SaaS Development — Subscription Billing & SOC 2 Ready

SaaS is one of the few software categories where the architecture choices made in the first sprint shape the cost of every customer for the life of the product. Multi-tenancy model (pooled, schema-per-tenant, or database-per-tenant), billing primitives (subscription, usage, hybrid, contract), identity and access architecture (SSO, role hierarchy, per-tenant API keys), and the audit and observability stack are all hard to reverse once paying customers depend on them. We have seen the cleanup work after the wrong call — multi-quarter migrations and dramatic infrastructure costs that the founding team never modeled.

The compliance perimeter for B2B SaaS is also wide and expanding. SOC 2 Type II is now the table-stakes signal for enterprise procurement. ISO 27001 follows close behind for international sales. GDPR and ePrivacy in Europe, CCPA and CPRA in California, plus a growing wave of state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA) all impose specific data-handling, retention, and DSR fulfillment obligations. And the 2024–2026 wave of state-level AI disclosure and high-risk-AI laws (Colorado AI Act, NYC Local Law 144, Utah AI Policy Act) means SaaS products with AI features now have specific consumer-disclosure and impact-assessment obligations that bolt onto the existing privacy stack.

SOC 2 Type II. Most enterprise buyers will not take the procurement call without a report. We build with Common Criteria mapped to controls — encryption, RBAC, audit logging, change management, incident response, vendor management — and produce evidence packs for Vanta, Drata, or Secureframe.

ISO 27001. Required for many international and regulated-industry deals. We map controls to Annex A and produce the documentation set the certification body expects.

GDPR and CCPA/CPRA. Lawful basis tracking, consent capture, data subject access requests, deletion workflows, and DPA-aligned vendor management. Privacy preference centers wired through the data layer so analytics and marketing pixels respect user consent.

State privacy law (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA). Each state has its own definitions of personal data, sensitive data, controller and processor obligations, and DSR fulfillment windows. We build a single internal privacy framework that covers the strictest state and applies it everywhere.

PCI-DSS scope. Stripe Elements or Checkout tokenizes cards so the SaaS stays in SAQ A. Stored card data lives in Stripe, not the application database.

AI disclosure laws. Colorado AI Act (effective 2026), NYC Local Law 144 on automated employment decision tools, and growing state-level rules require disclosure, impact assessment, and bias-testing documentation for high-risk AI features. We build the disclosure UX and the audit trail into the AI feature itself.

HIPAA when PHI is in scope. SaaS serving healthcare gets HIPAA Security Rule controls — encryption, RBAC, audit logging, BAA-eligible infrastructure — applied on top of the SOC 2 baseline.

Next.js 15 or 16 with React 19 and TypeScript for the application layer. Postgres on Neon, Supabase, or RDS for the system of record. Prisma or Drizzle as the ORM with strict tenant-scoping middleware. Stripe Billing for subscriptions and usage; Stripe Tax for sales tax. Clerk, WorkOS, or Auth0 for identity — WorkOS specifically when SAML SSO is a near-term need.

For observability, Datadog or Better Stack for logs and metrics, Sentry for error tracking with PII redaction in the logger, and OpenTelemetry traces for the critical paths. Background jobs on Inngest or BullMQ+Redis. Background-job idempotency is non-negotiable for billing-adjacent workflows. Hosting on Vercel for the web tier with edge functions for the cold paths; a serverless function tier (Cloud Run, Lambda) or a small dedicated Postgres replica for heavy compute. See the subscription billing service and custom Stripe integration pages for the billing patterns we use.

Three patterns recur. First, the v1 ships with no tenant isolation in the data model. The MVP works because there are only five customers. Customer six finds the cross-tenant bug at the worst possible time — usually an evaluation by the customer's security team — and the rebuild eats a quarter. Build tenant isolation in the schema before the first paying customer.

Second, billing gets bolted on with naive Stripe integration. Subscriptions are wired, but proration is wrong, usage isn't idempotent, and refunds do not reconcile cleanly into the accounting system. The first customer who churns and disputes the final invoice exposes the entire mess. Wire Stripe Billing carefully from the start; the cost difference between getting it right and getting it wrong is measured in months of support and finance pain.

Third, SOC 2 gets treated as a paperwork exercise the GRC tool will handle. The reality is that SOC 2 evidence requires structured audit logs, controlled access reviews, real change-management gates, and incident response runbooks that get exercised. A SaaS that bolts these on six weeks before the auditor arrives ends up failing the observation window or producing a heavily-qualified report. Build the controls into the engineering process from quarter one.